The audit and compliance ecosystem has become a jungle of varying compliance platform and audit firm alliances. Our alliance with Drata unlocks great synergies and protects the independence and integrity that trust is built on for our mutual clients.
Background
There have long been synergies with audit firms partnering with governance, risk and compliance (GRC) platforms. But the increasingly blurred independence lines in the industry have made these alliances less clear cut, and more important than ever.
AssuranceLab used to partner with any software companies that our clients wanted to use for their compliance. That would provide them with better support and allow them to use various products to support their compliance. It streamlined the connection between how they implement compliance, and the audit services (and supporting tech) used to verify that compliance. These two functions need to be independent of each other, but the cooperation between audit firms and GRC platforms helps provide a seamless and complete solution to those clients.
As the compliance market has become fiercely competitive, these previously respected lines of independence have been blurred and even crossed. The industry has become fragmented as a result.
Some platforms are vying for maximum control over audit firms to support the narrative that they automate everything, and the auditors blindly accept it. That’s appealing to customers to reduce the compliance effort. The platforms can then control the market by influencing client expectations in an industry that’s generally not well understood. When you combine large investor backing and marketing budgets, with a narrative the market wants to hear, audit firms are pressured to go along with it or lose market relevance.
When audit firms maintain their independence, properly challenge the controls, and speak up to those platforms, they can be met with resistance. It may be claimed they are not “using the fullness of the platform”. In-house customer success or “audit support” teams amp up pressure on the auditors. The platforms may discontinue support and remove audit firms from their "pre-vetted audit firm" network if they don't play ball. In our case that meant some of our clients were offered credits to switch to preferred auditors, and various inaccurate trash-talk followed. Thankfully our clients saw through it and opted to continue with us. Most of them have migrated to Drata that doesn’t operate in this way.
On the other side, some audit firms are building their own platforms. They are introducing features that arguably breach their auditor independence to resist the competitive threat of the platforms.
Both sides want to be the complete solution, with huge commercial and competitive advantages of doing so.
Drata + AssuranceLab alliance
Not all platforms and audit firms are crossing lines, which is where our Drata + AssuranceLab alliance comes in.
Drata maintains an open and transparent auditor alliance that welcomes all audit firms, provides training on how to use the Drata platform, and encourages those firms to challenge the compliance features.
AssuranceLab and our platform Pillar, are building a new and better way for audits with advanced automation to enable more scalable, collaborative and user-friendly audits. We don't build any features that design or implement our clients' compliance.
Drata + AssuranceLab are both sticking to our lane, and respecting the role of the other. Doing things the “right” way may seem harder in an industry relentlessly searching for shortcuts. But there are some major benefits of sticking to our respective lanes and collaborating on areas of overlap.
Client choice is respected
You can choose your preferred platform AND any audit firm. Audits are a large investment initially but also very much considering how they continue over the years. Picking one that fits your culture and goals, means you get so much more value out of the relationship.
There are real security and operational benefits
When the focus goes beyond box-ticking, with auditors that actually challenge the way things are done, it builds features and clients' security postures to achieve better outcomes. Whether you want to sleep better at night, create a long term sustainable company, or actually earn and maintain trust, real security is better.
We often hear from clients that these compliance projects are an ideal time and way to uplift the way they operate for their next stage of growth. That includes better defined processes, clarity of responsibilities, and new systems that scale and reduce the reactive firefighting that contributes to growth pains.
Covering more of what customers care about
A common misconception is all SOC 2 reports or ISO certs are the same. That the job is done when you achieve those. But in practice, your growing list of enterprise customers are looking to see how you meet their specific requirements. A box-ticked SOC 2 report with a generic and minimal set of compliance controls, covers less of your enterprise customers expectations. That means you make a large investment only to fall short and continue to need manual due diligence and vendor reviews to address the remaining gap. It is often best to start with a minimal set and build on those, and that's where using a more flexible platform like Drata and higher quality audit service like AssuranceLab, future-proofs your compliance needs.
Leading the market together
The best bit about Drata + AssuranceLab is the way we lead the market together. There are great synergies of combining our perspectives coming from the two sides of the compliance problem. Below are some of the areas our two propositions fit well together to cover more ground, future-proof our mutual clients requirements, and help them achieve better outcomes.
Custom frameworks
Earlier this year, we built 10 custom frameworks for Drata, to cover additional standards like CSA STAR, MVSP, Cyber Essentials+, CPS 234, the Consumer Data Right, and customer-specific requirements like Commonwealth Bank of Australia’s vendor risk framework. Audit experts are best placed to build these frameworks as we work directly with the standards, we have the credentials, and ultimately sign off the compliance reports and certs against those standards. With our refined compliance data model, we can very quickly build these frameworks to leverage Drata's market leading automation.
Tailoring the controls
Generic compliance causes headaches trying to fit into a cookie-cutter way of achieving compliance. Each company is unique, and tailoring the controls provides greater clarity and fit to reduce the compliance burden.
Our Pillar platform has two main functions; (1) maps our clients tailored or custom controls to accurately reflect their scope and ways of operating, and (2) enables collaborative and responsive audits for a well-supported audit process. Drata’s custom controls functionality and open API mean that our clients can use all their tailored controls in Drata to leverage all of the automation available.
This tailored approach works best for scale ups to enterprise in particular. These are the types of companies that have been slower to adopt compliance automation platforms due to their greater needs for flexibility. So this combination offers the best of both worlds to those clients, and by integrating Drata + Pillar, we can offer this way at scale to our clients with a seamless user experience.
Complementary tools
Compliance platforms excel at building automation, client-driven features, and integrations. But other areas like policies and system descriptions, audit firms are the experts. They’ve reviewed thousands of different versions and have the best understanding of how these link to the controls and frameworks. That’s where our PolicyTree solution for example, can complement Drata by automating the workflows to prepare policies and the system descriptions in a more complete, accurate, and tailored approach to fit each unique company. That fits well with Drata’s policy centre that connects it to all the relevant controls, frameworks, and sign off workflows.
Audit playbooks
By closely collaborating to understand Drata’s design, we build effective audit playbooks to simplify the path to compliance. Our Drata Starter framework is a good example of this, where we designed a playbook for startups looking to achieve compliance with minimal controls, time and cost. Our understanding of Drata and what's required to sign off compliance with global standards, means we can provide a very clear view of what's required, where there is flexibility, and tips and guidance to help our clients stand up their compliance program in Drata effectively.
Continuous audit
A Drata + AssuranceLab exclusive we implemented this year, is continuous audit. It's been talked about for decades and considered a "no-brainer" for clients, but it hasn't been commercially viable for audit firms to deliver at scale.
The huge benefits include reducing the disruption of audits, giving greater confidence in compliance year-round, and some major efficiencies when it's done right. That's in contrast to audits upending the business for weeks or months, identifying compliance failures when it's too late to fix, and digging up audit evidence and answering queries for things that happened up to 12 months ago.
The combination of Drata + AssuranceLab is what enables continuous compliance. It requires continuous monitoring data feeds to be viable to audit continuously. It also requires the systems and processes for auditors to manage and track various client audits concurrently. We've successfully rolled this out for five pilot clients, with dozens of others signed up to transition to it. All signs are showing it's viable to roll out across all of our mutual clients.
Beyond security compliance
In all compliance, there are areas that can be automated and others that cannot be. Security compliance has taken off as a specialist category based on the higher degree of automation that can be applied. Pillar and our leading compliance data model, enables that automation to be connected into broader compliance areas like environmental, social and governance (ESG). Three of the additional frameworks we built in Drata include our ESG reporting framework, GRI - the leading ESG reporting standard, and the United Nations SDGs. There is huge overlap between areas of compliance, including security compliance and ESG. This means our mutual clients can achieve a high degree of automation for their security compliance, AND combine it with lots of other areas of compliance, in Drata that is centrally managed for a single point of oversight.
Client and auditor side automations
The nature of the compliance problem Drata + AssuranceLab are solving, is a two-sided problem with two parties. Clients, or companies that need to be compliant, need to implement and prove that compliance. Auditors are qualified firms that need to verify that compliance. Automation that helps the client, and/or helps the auditors, also helps the other party too since they have the same goals. For example, if you automate the audit practices, there are less onerous manual requests and less cost for the audits because they require less work.
That's where Drata's powerful automation focused primarily on the client-side, is complemented by Pillar that's focused primarily on the auditor-side. As the market matures it's the combination on both sides that future-proofs our success, enabling compliance automation and real trust to be built on serving the needs of both clients and audit firms for mutual success.
As we continue to work with Drata the future looks bright. In the short term, companies will continue looking for shortcuts and minimising costs. That makes it appealing for platforms and audit firms to cross lanes and try to cover both sides. But in the long term that undermines the trust that compliance is designed to build. It misses the many benefits above of collaborating and combining synergies in this highly complex and two-sided market problem.